From: Bernd Felsche
Hello Jonathan, All,
Perhaps someone can confirm a brainstorm for me that I just had. Not knowing the total ins and outs of ADSL, but, let's take the 13 IP addresses, and put them at the router (which I assume is what happens). Surely then I can use a 4 port hub from the ADSL router, and put one portion of it to another hub with all my servers on (each server set up with one of the 13 IPs or so), and they'd work? I could then take a feed off the same 4 port hub, plug it through the firewall, and onto the local LAN. Would this work? I could assign the suse firewall one of the 13 IPs and use NAT internally on the LAN (see diagram.)
Check out this diagram and see what you make of it.
********** *Internet*---[ADSL ROUTER] ********** | | [hub] / \ / \ / \ / \ / \ [hub] [suse firewall] / / / \ [Servers] \ [hub] \ \ \ [LAN PCs]
Regards,
Lee.
Friday, December 15, 2000, 8:56:40 PM, you wrote:
With the adsl package I will be assigned 13 IP addresses. I need to segregate one section of the network for the LAN (using NAT and to firewall it off), and another section for the 'DMZ', where 95% of the IP addresses will be used to run various net facing servers. Lee
JPC> I am assuming that your topography looks something like:
JPC> |---------------| |---------------| JPC> | |(ethernet1) | | JPC> | DMZ |\ | Internet | JPC> | | \ / | | JPC> |---------------| \ / |---------------| JPC> \ /ADSL | JPC> \ / | JPC> SuSE6.4 |ADSL JPC> Firewall | JPC> / \ | JPC> |---------------| / \ |---------------| JPC> | | / \ | Server Farm | JPC> | LAN | / \ |---------------| JPC> | |(ethernet2) (ethernet3) JPC> |---------------|
Security is never easy. If it is, it's not secure. I would advise against that topology unless you're also treating the (ethernet3) segment as a DMZ. A direct ADSL connection is of little benefit, if any, as you only have the one wire carrying all ADSL traffic coming out of the building anyway. Keep the server farm in a DMZ and have the firewall respond to all the useful assigned IP addresses, forwarding to corresponding servers as necessary. It would also be a good idea (IMHO) to set up an "internal" firewall for the NAT on your LAN. That is to simplify the filtering on the "front" firewall and to make both firewalls more secure. -- /"\ Bernd Felsche - Innovative Reckoning, Perth, Western Australia \ / ASCII ribbon campaign | I'm a .signature virus! | X against HTML mail | Copy me into your ~/.signature| / \ and postings | to help me spread! |